Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-accessible with no auth or interaction needed; only password-protected post text exposed (C:L); no integrity or availability impact applies.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Context Blog theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the context_blog_modal_popup. This makes it possible for unauthenticated attackers to extract the content of password-protected posts.
AnalysisAI
Context Blog WordPress theme (all versions through 1.3.5) exposes the full content of password-protected posts to unauthenticated remote attackers through the context_blog_modal_popup component, effectively bypassing WordPress's native content-gating mechanism. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivially low exploitation complexity with no authentication or user interaction required. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target WordPress site must be running Context Blog theme version 1.3.5 or earlier, and must have at least one post protected using WordPress's built-in password feature - without password-protected posts, there is no restricted content to expose. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N accurately reflects the exploitability profile: remotely triggerable, low complexity, no credentials required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans for WordPress sites using the Context Blog theme (detectable via theme stylesheet headers or directory enumeration) and identifies that password-protected posts are listed in the site's post index or sitemap. The attacker sends a crafted unauthenticated HTTP request directly to the `context_blog_modal_popup` endpoint referencing the target post ID, bypassing WordPress's password-gate entirely. … |
| Remediation | Update the Context Blog theme to the latest version available in the WordPress theme repository, which should incorporate the fix committed in Trac changeset 329636 (https://themes.trac.wordpress.org/changeset?reponame=&old=329636%40context-blog&new=329636%40context-blog). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43153
GHSA-mpm3-jfch-qphv